Modern computer networks employ security detection mechanisms to deter and prevent security attacks by unauthorized entities. Security attacks include viruses, worms and other threats which an attacker introduces by an unauthorized connection into a computer system via a public access network such as the Internet. Such threats often take the form of self-replicating code which propagates from node to node in a network by breaching a system, such as via email or an unprotected port, to gain access to the executable memory area of a victim computer node. Once introduced, the malicious code typically attempts to propagate further around the network by breaching adjacent nodes, sometimes after executing code which produces an undesirable effect on the victim node, such as deleting critical files.
Most security detection mechanisms attempt to prevent unauthorized access altogether, in an absolute manner. Mechanisms such as firewalls, password protection, security filters, and outright physical separation all operate by preventing any unauthorized access beyond a point of implementation of such a security mechanism. These security measures strive for absolute “on or off” access; the security check either passes or fails at the implementation point. Therefore, however, a single successful breach of the security mechanism at the implementation point allows uninhibited access from thereon. There is no inherent authorization “watchdog,” or revalidation of authorization, beyond the discrete implementation “gatekeeper” point.
Analysis of certain activities over time, however, may suggest a pattern of activity tending to correspond to illicit usage and potentially malicious and/or improper activity. One such activity is so-called “port scanning,” which is generally recognized as an illegitimate activity except possibly in narrow security audit situations. Such activity is usually either a reconnaissance effort that precedes some form of attack on a system, or an effort to evade management of resources. Port scanning involves repeated, rapid attempts to gain access to different systems, and is an activity which a legitimate user is unlikely to perform. Port scanning, therefore, is an electronic equivalent to a thief trying every door on a city block until they find one that opens.
Several prior art systems have attempted to address port scanning. It appears to be widely accepted that port scanning is both generally bad and detectable. Numerous so-called “personal firewalls” purport to block such an attack at a particular end system. Such efforts serve to notify, and typically block, such an attack. Intrusion Detection System (IDS) products collect potentially significant network events from a variety of nodes, and analyze the events in aggregate to ward off false alarms from legitimate activity, potentially modifying “dynamic shunning” firewalls, such as that proposed by Descan.net of Seattle, Wash. The Descan system purports to identify abusive scanning behavior with heuristics and statistical analysis, and then reports the activity to a system administrator.
Another prior art approach is described by Williamson: “Throttling Viruses: Restricting propagation to defeat malicious mobile code,” Matthew M. Williamson, Hewlett-Packard Laboratories, Bristol, HPL-2002-172, June 2002. Williamson suggests a filter on a network stack that uses a series of timeouts to restrict the rate of connections to new hosts. Williamson, therefore, appears to be a filter for limiting a rate of allowed connections from an infected node to adjacent nodes, and therefore does not attempt to prevent an initial influx of a virus, but rather to limit the spread from an infected PC.
ForeScout Technologies, Inc., of San Mateo, Calif., proposes focusing on a potential attacker and identifying pre-attack activities to proactively defend against malicious activity (See U.S. Pat. No. 6,363,489, Mar. 26, 2002, “Method for automatic intrusion detection and deflection in a network”). This system arranges to feed disinformation to port scanners and similar reconnaissance techniques so that any subsequent attack has an unmistakable signature. However, such an approach appears to assume substantial preparation and anticipation on the part of the user. A user may not wish to expend resources in such an elaborate anticipatory mechanism.